fix CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781

2023-09-12 12:35:36 +00:00 · 2023-09-12 12:35:36 +00:00 · a8d9e0da9a
commit a8d9e0da9a
parent 2d1ec3ce97
5 changed files with 169 additions and 2 deletions
--- a/backport-CVE-2023-4738.patch
+++ b/backport-CVE-2023-4738.patch
@ -0,0 +1,43 @@
+From ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sat, 2 Sep 2023 21:15:52 +0200
+Subject: [PATCH 23/52] patch 9.0.1848: [security] buffer-overflow in
+ vim_regsub_both()
+
+Problem:  buffer-overflow in vim_regsub_both()
+Solution: Check remaining space
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/ex_cmds.c                     |  3 +++
+ src/regexp.c                      |  3 ++-
+ 2 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index c30b6fddf..53c7bb5a3 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -4542,6 +4542,9 @@ ex_substitute(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
+		if (new_start_len - copy_len < sublen)
+		    sublen = new_start_len - copy_len - 1;
+
+ #ifdef FEAT_EVAL
+ 		++textlock;
+ #endif
+diff --git a/src/regexp.c b/src/regexp.c
+index 9c576c689..edd1293a5 100644
+--- a/src/regexp.c
+++ b/src/regexp.c
+@@ -2007,7 +2007,8 @@ vim_regsub_both(
+ 	// "flags & REGSUB_COPY" != 0.
+ 	if (copy)
+ 	{
+-	    if (eval_result[nested] != NULL)
+	    if (eval_result[nested] != NULL &&
+		    STRLEN(eval_result[nested]) < destlen)
+ 	    {
+ 		STRCPY(dest, eval_result[nested]);
+ 		dst += STRLEN(eval_result[nested]);
--- a/backport-CVE-2023-4750.patch
+++ b/backport-CVE-2023-4750.patch
@ -0,0 +1,41 @@
+From fc68299d436cf87453e432daa77b6d545df4d7ed Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 3 Sep 2023 20:20:52 +0200
+Subject: [PATCH 32/52] patch 9.0.1857: [security] heap-use-after-free in
+ is_qf_win()
+
+Problem:  heap-use-after-free in is_qf_win()
+Solution: Check buffer is valid before accessing it
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/main.c                        |  2 +-
+ src/quickfix.c                    |  2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index cca53fe25..a40c3a666 100644
+--- a/src/main.c
+++ b/src/main.c
+@@ -1606,7 +1606,7 @@ getout(int exitval)
+ 	    next_tp = tp->tp_next;
+ 	    FOR_ALL_WINDOWS_IN_TAB(tp, wp)
+ 	    {
+-		if (wp->w_buffer == NULL)
+		if (wp->w_buffer == NULL || !buf_valid(wp->w_buffer))
+ 		    // Autocmd must have close the buffer already, skip.
+ 		    continue;
+ 		buf = wp->w_buffer;
+diff --git a/src/quickfix.c b/src/quickfix.c
+index aa431ea10..a3d3e8fb7 100644
+--- a/src/quickfix.c
+++ b/src/quickfix.c
+@@ -4426,7 +4426,7 @@ is_qf_win(win_T *win, qf_info_T *qi)
+     // set to NULL.
+     // A window displaying a location list buffer will have the w_llist_ref
+     // pointing to the location list.
+-    if (bt_quickfix(win->w_buffer))
+    if (buf_valid(win->w_buffer) && bt_quickfix(win->w_buffer))
+ 	if ((IS_QF_STACK(qi) && win->w_llist_ref == NULL)
+ 		|| (IS_LL_STACK(qi) && win->w_llist_ref == qi))
+ 	    return TRUE;
--- a/backport-CVE-2023-4752.patch
+++ b/backport-CVE-2023-4752.patch
@ -0,0 +1,28 @@
+From ee9166eb3b41846661a39b662dc7ebe8b5e15139 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 3 Sep 2023 21:24:33 +0200
+Subject: [PATCH 33/52] patch 9.0.1858: [security] heap use after free in
+ ins_compl_get_exp()
+
+Problem:  heap use after free in ins_compl_get_exp()
+Solution: validate buffer before accessing it
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/insexpand.c                   |  2 +-
+ 2 files changed, 1 insertions(+), 1 deletions(-)
+ create mode 100644 src/testdir/crash/poc_tagfunc.vim
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index 3cfdface4..b767b4efd 100644
+--- a/src/insexpand.c
+++ b/src/insexpand.c
+@@ -3840,7 +3840,7 @@ ins_compl_get_exp(pos_T *ini)
+ 	else
+ 	{
+ 	    // Mark a buffer scanned when it has been scanned completely
+-	    if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+	    if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
+ 		st.ins_buf->b_scanned = TRUE;
+ 
+ 	    compl_started = FALSE;
--- a/backport-CVE-2023-4781.patch
+++ b/backport-CVE-2023-4781.patch
@ -0,0 +1,45 @@
+From f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 5 Sep 2023 20:18:06 +0200
+Subject: [PATCH 53/58] patch 9.0.1873: [security] heap-buffer-overflow in
+ vim_regsub_both
+
+Problem:  heap-buffer-overflow in vim_regsub_both
+Solution: Disallow exchanging windows when textlock is active
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/ex_cmds.c                         |   3 +++
+ src/window.c                          |   5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 4f1d93244..566ed7dad 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -4461,6 +4461,9 @@ ex_substitute(exarg_T *eap)
+ 		{
+ 		    nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
+ 		    skip_match = TRUE;
+		    // safety check
+		    if (nmatch < 0)
+			goto skip;
+ 		}
+ 
+ 		// Need room for:
+diff --git a/src/window.c b/src/window.c
+index 1af2395df..f77ede330 100644
+--- a/src/window.c
+++ b/src/window.c
+@@ -1738,6 +1738,11 @@ win_exchange(long Prenum)
+ 	beep_flush();
+ 	return;
+     }
+    if (text_or_buf_locked())
+    {
+	beep_flush();
+	return;
+    }
+ 
+ #ifdef FEAT_GUI
+     need_mouse_correct = TRUE;
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        16
+Release:        17
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -102,6 +102,10 @@ Patch6072:      backport-patch-9.0.0473-fullcommand-only-works-for-the-current-s
 Patch6073:      backport-patch-9.0.0474-fullcommand-testfailure.patch
 Patch6074:      backport-CVE-2023-4734.patch
 Patch6075:      backport-CVE-2023-4735.patch
+Patch6076:      backport-CVE-2023-4738.patch
+Patch6077:      backport-CVE-2023-4750.patch
+Patch6078:      backport-CVE-2023-4752.patch
+Patch6079:      backport-CVE-2023-4781.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -408,7 +412,7 @@ popd

 %check
 export TERM=xterm
-LC_ALL=en_US.UTF-8 make -j1 test
+LANG=en_US.UTF-8 make -j1 test

 %files common
 %exclude %{_datadir}/vim/%{vimdir}/macros/maze/maze*.c
@ -510,6 +514,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-17
+- Type:CVE
+- ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781
+- SUG:NA
+- DESC:fix CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781
+
 * Thu Sep 07 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-16
 - Type:CVE
 - ID:CVE-2023-4736 CVE-2023-4733 CVE-2023-4734 CVE-2023-4735